CVE-2021-3468Infinite Loop in Avahi

CWE-835Infinite Loop9 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 91.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
10
AvahiDebian AvahiDebian Linux+7 more
Timeline
PublishedJun 2
Latest updateMay 24

Description

A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages12 packages

debiandebian/avahi< avahi 0.8-7 (bookworm)
Debianavahi/avahi< 0.8-5+deb11u2+3
Ubuntuavahi/avahi< 0.7-3.1ubuntu1.3+1
NVDavahi/avahi0.60.8
CVEListV5avahi/avahiAll avahi versions 0.6 up to 0.8

Also affects: Debian Linux 9.0

🔴Vulnerability Details

3
GHSA
GHSA-43rm-fv4g-cmj8: A flaw was found in avahi in versions 02022-05-24
OSV
avahi vulnerabilities2021-07-07
OSV
CVE-2021-3468: A flaw was found in avahi in versions 02021-06-02

📋Vendor Advisories

5
Ubuntu
Avahi vulnerabilities2021-07-07
Ubuntu
Avahi vulnerability2021-07-07
Microsoft
A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function all2021-06-08
Red Hat
avahi: Local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket2021-03-10
Debian
CVE-2021-3468: avahi - A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal th...2021